Although DDoS mitigation solutions have been around for nearly 20 years, there are still some myths about DDoS attacks and much debate about how to best protect a network. Some IT professionals think that as long as they have a layered defense approach: i.e., a firewall, load balancers, an intrusion prevention system (IPS), and a DDoS mitigation service, they are safe. (Actually, many believe they don’t even need a DDoS mitigation service.)
A recent blog post by Kemp Technologies states:
“To mitigate or avoid the same fate suffered by Dyn, companies should lock down their DNS servers to prevent them from being used as part of an attack as well as implement DDoS mitigation services that can detect and react when a volumetric attack is being staged. Load Balancers with integrated intrusion prevention (IPS) and web application firewall (WAF) services also add another layer of protection by detecting and preventing application-focused Layer 7 DDoS attacks.”
Volumetric vs. Sub-Saturating DDoS Attacks
The key phrase I want to point out from the above quote is “volumetric attack.” When most people think of DDoS attacks, they think in terms of high bandwidth-consuming DDoS attacks. Volumetric DDoS attacks are easier to identify and defend against, with on-premises or cloud anti-DDoS solutions, or a combination of both. But DDoS attacks are not always volumetric. The fact is, the majority of DDoS attacks are small and fly “under the radar.”
Partial saturation attacks have sufficient capacity to take down a firewall, IPS, Web Application Server or back-end infrastructure without saturating the pipe. Once a firewall is down, hackers need just minutes or seconds to infiltrate a network and perform a security breach.
Automatic Response vs. Human Intervention
Corero is not opposed to DDoS mitigation services; indeed, they can be a useful adjunct to an automated DDoS mitigation solution. However, a mitigation service alone is insufficient because 1) before a service is engaged, someone or something---a computer or human---must detect a DDoS attack in progress, and 2) it takes 20-30 minutes to redirect the “bad” traffic, thus allowing more nefarious security breaches to occur during that time.
To detect and block these sub-saturating attacks, companies need automated, real-time DDoS mitigation hardware in place. Without it, an organization has to constantly monitor and create filters and signatures on the fly, with the help of a human security analyst. Indeed, detecting these attacks utilizing a cloud-based model is an expensive proposition, not to mention it delays the actual mitigation.
IT professionals are sorely mistaken if they believe that their traditional layers of defense are enough to protect them from DDoS attacks.
For more information, contact us.